diff --git a/example/gateway/certbot/Fockerfile b/example/gateway/certbot/Fockerfile new file mode 100644 index 0000000..2de9aac --- /dev/null +++ b/example/gateway/certbot/Fockerfile @@ -0,0 +1,30 @@ +base: freebsd-latest + +steps: + - run: + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install py37-certbot python3 + - mkdir -p /certbot/data + - mkdir -p /certbot/webroot + - mkdir -p /certbot/scripts + - chown -R nobody:nobody /certbot + - chmod 0750 /certbot + - copy: + - [ files/certbot.py, + /certbot/scripts/certbot.py ] + - [ files/crontab_nobody, + /root/crontab_nobody ] + - [ ../files/cookiecutter.json, + /certbot/data/metadata.json ] + - run: + - crontab -u nobody /root/crontab_nobody + - rm -v /root/crontab_nobody + - mkdir -p /usr/local/etc/letsencrypt + - mkdir -p /var/log/letsencrypt + - mkdir -p /var/db/letsencrypt + - chown nobody:nobody /var/log/letsencrypt + - chown nobody:nobody /var/db/letsencrypt + - run: + - sysrc sshd_enable=NO + - sysrc sendmail_enable=NONE + - sysrc clear_tmp_enable=YES + - sysrc syslogd_flags="-ss" diff --git a/example/gateway/certbot/files/certbot.py b/example/gateway/certbot/files/certbot.py new file mode 100644 index 0000000..0ab2adc --- /dev/null +++ b/example/gateway/certbot/files/certbot.py @@ -0,0 +1,24 @@ +import json +import subprocess + + +def main(): + with open('/certbot/data/metadata.json', 'r') as f: + data = json.load(f) + ips = data['ips'][0] + domains = data['domains'][0] + for ds in domains: + cmd = [ '/usr/local/bin/certbot', 'certonly', '--webroot', + '-w', '/certbot/webroot', '--server', 'https://127.0.11.1:14000/dir', + '--email', 's.adaszewski@gmail.com', '--no-verify-ssl', '-n', + '--agree-tos', '--expand' ] + for d in ds: + cmd.append('-d') + cmd.append(d) + ret = subprocess.run(cmd) + if ret.returncode != 0: + raise RuntimeError('Failed certbot certonly for:', ' '.join(ds)) + + +if __name__ == '__main__': + main() diff --git a/example/gateway/certbot/files/crontab_nobody b/example/gateway/certbot/files/crontab_nobody new file mode 100644 index 0000000..a577bdb --- /dev/null +++ b/example/gateway/certbot/files/crontab_nobody @@ -0,0 +1 @@ +@weekly /usr/local/bin/certbot renew --webroot -w /certbot/webroot --server https://127.0.11.1:14000 --no-verify-ssl -n --agree-tos >/dev/null 2>&1 diff --git a/example/gateway/focker-compose.yml b/example/gateway/focker-compose.yml index 1783d90..e29de25 100644 --- a/example/gateway/focker-compose.yml +++ b/example/gateway/focker-compose.yml @@ -3,8 +3,16 @@ prebuild: volumes: - certbot-data: {} - certbot-webroot: {} + certbot-data: + chown: 65534:65534 + chmod: 0750 + zfs: + quota: 1G + certbot-webroot: + chown: 65534:65534 + chmod: 0750 + zfs: + quota: 1G images: @@ -17,14 +25,20 @@ jails: nginx-http: image: nginx-http mounts: - certbot-webroot: /srv/certbot-webroot + certbot-webroot: /certbot/webroot certbot: image: certbot depend: nginx-http mounts: - certbot-data: / + certbot-data: /usr/local/etc/letsencrypt + certbot-webroot: /certbot/webroot + exec.start: | + ( /usr/bin/su -m nobody -c "python3 /certbot/scripts/certbot.py" && \ + /bin/sh /etc/rc ) & nginx-https: image: nginx-https depend: certbot + mounts: + certbot-data: /usr/local/etc/letsencrypt diff --git a/example/gateway/nginx-http/Fockerfile b/example/gateway/nginx-http/Fockerfile index 69e65a6..9be8498 100644 --- a/example/gateway/nginx-http/Fockerfile +++ b/example/gateway/nginx-http/Fockerfile @@ -19,4 +19,4 @@ steps: - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove - rm -rvf /root/nginx_template - rm -rvf ./nginx_conf - - mkdir -p /srv/certbot-webroot + - mkdir -p /certbot/webroot diff --git a/example/gateway/nginx-https/Fockerfile b/example/gateway/nginx-https/Fockerfile index 841774f..8cb0b67 100644 --- a/example/gateway/nginx-https/Fockerfile +++ b/example/gateway/nginx-https/Fockerfile @@ -19,4 +19,10 @@ steps: - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove - rm -rvf /root/nginx_template - rm -rvf ./nginx_conf - - mkdir /certbot-data + - mkdir -p /usr/local/etc/letsencrypt + - mkdir -p /certbot/webroot + - run: + - sysrc sshd_enable=NO + - sysrc sendmail_enable=NONE + - sysrc clear_tmp_enable=YES + - sysrc syslogd_flags="-ss" diff --git a/example/gateway/nginx-https/files/nginx.conf b/example/gateway/nginx-https/files/nginx.conf index a9bf1a5..21d8ad6 100644 --- a/example/gateway/nginx-https/files/nginx.conf +++ b/example/gateway/nginx-https/files/nginx.conf @@ -12,11 +12,14 @@ http { server { listen 443 ssl; server_name {{ ' '.join(cookiecutter.domains[i]) }}; - ssl_certificate /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.crt; - ssl_certificate_key /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.key; + ssl_certificate /usr/local/etc/letsencrypt/live/{{ cookiecutter.domains[i][0] }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/letsencrypt/live/{{ cookiecutter.domains[i][0] }}/privkey.pem; location / { - proxy_pass http://{{ cookiecutter.ips[i] }}/; + proxy_pass http://{{ cookiecutter.ips[i] }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_request_buffering off; } } {% endfor %} diff --git a/example/pebble/Fockerfile b/example/pebble/Fockerfile new file mode 100644 index 0000000..254ba6e --- /dev/null +++ b/example/pebble/Fockerfile @@ -0,0 +1,15 @@ +base: freebsd-latest + +steps: + - run: + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install go git + - run: + - mkdir /go + - export GOPATH=/go + - go get -u github.com/letsencrypt/pebble/... + - cd $GOPATH/src/github.com/letsencrypt/pebble + - go install ./... + - run: + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg remove go git + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove + diff --git a/example/pebble/focker-compose.yml b/example/pebble/focker-compose.yml new file mode 100644 index 0000000..72abbab --- /dev/null +++ b/example/pebble/focker-compose.yml @@ -0,0 +1,12 @@ +image: + pebble: . + +jails: + pebble: + image: pebble + ip4.addr: 127.0.11.1 + exec.start: | + cd /go/src/github.com/letsencrypt/pebble && \ + export PEBBLE_VA_ALWAYS_VALID=1 && \ + nohup /go/bin/pebble -config test/config/pebble-config.json & +